The 42001 Institute
EU AI Act & ISO/IEC 42001

The EU AI Act, in the words of someone who works on the standards.

The EU AI Act is the world’s first comprehensive AI regulation — and ISO/IEC 42001 is emerging as the management-system backbone organizations use to meet it. Sid Ahmed Benraouane speaks and trains on the EU AI Act’s risk hierarchy and conformity assessment requirements, advises organizations on how ISO/IEC 42001 maps to the Act, and follows the work of CEN-CENELEC JTC 21 — including prEN 18286, the first harmonized AI standard developed specifically for EU AI Act compliance.

01

What is the EU AI Act risk hierarchy?

The EU AI Act classifies AI systems into four risk tiers, each with different obligations. Prohibited systems (unacceptable risk) — such as social scoring and certain biometric surveillance — are banned outright. High-risk systems — including AI used in hiring, credit, education, critical infrastructure, and law enforcement — face the heaviest obligations: risk management, data governance, human oversight, and conformity assessment before market entry. Limited-risk systems (such as chatbots and AI-generated content) carry transparency obligations. Minimal-risk systems face no new requirements. Benraouane delivers talks and executive training on the risk hierarchy, helping organizations classify their AI systems correctly — the single most consequential step in AI Act compliance.

02

What is a conformity assessment under the EU AI Act?

A conformity assessment is the process by which a provider of a high-risk AI system demonstrates compliance with the Act's requirements before placing the system on the EU market. Depending on the system, this is done through internal control (self-assessment) or through a notified body (third-party assessment). It covers the provider's quality management system, technical documentation, risk management, and post-market monitoring. As a Certified ISO/IEC 42001 Lead Auditor who trains on the Act's conformity assessment provisions, Benraouane helps organizations understand what assessors will look for and how to prepare the evidence.

03

Does ISO/IEC 42001 certification help with EU AI Act compliance?

Yes — significantly, though it is not automatic compliance. ISO/IEC 42001 establishes an AI management system covering risk management, data governance, human oversight, transparency, and continual improvement — the same disciplines the EU AI Act requires, particularly Article 17's quality management system obligations for high-risk providers. A certified 42001 system gives organizations a structured, auditable foundation for AI Act readiness. Benraouane — who served on the ISO working group that developed 42001 and wrote the Routledge guide to certification under it — advises organizations on exactly where the standard maps to the Act and where gaps remain.

04

Is ISO/IEC 42001 required by the EU AI Act?

No. The Act does not mandate any specific standard. But it grants “presumption of conformity” to harmonized European standards, and ISO/IEC 42001 is the leading international framework on which AI Act readiness programs are built. Many organizations pursue 42001 certification as demonstrable evidence of the governance the Act demands — especially those operating across multiple jurisdictions, where an international standard travels better than an EU-only framework.

05

What is prEN 18286 and how does it relate to ISO/IEC 42001?

prEN 18286 — “Artificial Intelligence – Quality Management System for EU AI Act Regulatory Purposes” — is a new European standard being developed by CEN-CENELEC JTC 21, the committee tasked with producing the harmonized standards that support the AI Act. It is designed to give providers of high-risk AI systems presumption of conformity with Article 17 of the Act, and it was the first harmonized AI standard to enter public enquiry. It draws on the same management-system logic as ISO/IEC 42001. Benraouane addresses the CEN-CENELEC work program in his talks and training, including how prEN 18286 and ISO/IEC 42001 will coexist — and what organizations should implement now while the European standard is finalized.

06

Who enforces the EU AI Act, and when do the rules apply?

Enforcement is shared between national market surveillance authorities in each EU member state and the European AI Office for general-purpose AI models. The Act entered into force in August 2024 and applies in stages: prohibitions and AI literacy obligations first, then general-purpose AI rules, with the bulk of high-risk obligations following. Penalties reach up to 7% of global annual turnover for prohibited practices. Organizations deploying AI in or into the EU should map their exposure now rather than waiting for their tier's deadline.

07

How can my organization prepare for both the EU AI Act and ISO/IEC 42001?

Start with an inventory and risk classification of your AI systems against the Act's hierarchy, then build the management system: governance roles, risk and impact assessments, data governance, human oversight, documentation, and monitoring. ISO/IEC 42001 provides the certifiable structure for all of it. The 42001 Institute supports this arc end to end — executive briefings and training on the EU AI Act, gap assessments, certification readiness, and internal audit programs. Reach the Institute on LinkedIn.

Talk to us

Ready to map your organization’s exposure?

Executive briefings, gap assessments, certification readiness, and internal audit programs. Same standards-first foundation whether you’re preparing for the Act, for ISO/IEC 42001 certification, or for both.